Wrong generated v1/authorize url with passport-okta-oauth and express in nodejs

Hi all,
I need to integrate an authorization code flow in a nodejs app provided by a third editor. I m a newb in node so I have done a stuff like that:

Blockquote
const https = require(‘https’),
url = require(‘url’),
fs = require(‘fs’),
path = require(‘path’),
zlib = require(“zlib”);
const port = process.argv[2] || 8080;
const basepath = process.argv[3] || null;
const express = require(‘express’);
const session = require(‘express-session’);
const passport = require(‘passport’);
const OktaStrategy = require(‘passport-okta-oauth’).Strategy;
const app = express();
const oktaConfig = {
clientID: ‘',
clientSecret: '
’,
callbackURL: ‘http://localhost/authorization-code/callback’,
tokenURL: ‘https://domain/oauth2/*****************/v1/token’,
authorizationURL: ‘https://domain/oauth2/*****************/v1/authorize’,
audience: ‘https://domain/oauth2/*****************/’,
issuer: ‘https://domain/oauth2/*****************/’,
scope: [‘openid’, ‘profile’, ‘email’]
};
passport.use(new OktaStrategy(oktaConfig,
(accessToken, refreshToken, profile, done) => {
return done(null, profile);
}
));
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
app.use(session({
secret: ‘your-session-secret’,
resave: false,
saveUninitialized: false
}));
app.use(passport.initialize());
app.use(passport.session());
app.use((req, res, next) => {
console.log(${req.method} ${req.url});
next();
});
app.get(‘‘, passport.authenticate(‘okta’));
app.get(’/authorization-code/callback’,
passport.authenticate(‘okta’, { failureRedirect: ‘/’ }),
(req, res) => {
res.redirect(‘/’);
}
);
app.use(‘/’, (req, res, next) => {
if (!req.isAuthenticated()) {
return res.redirect(‘/’);
}
next();
});
const privateKey = fs.readFileSync(‘/certificates/cert.key’, ‘utf8’);
const certificate = fs.readFileSync(‘/certificates/cert.pem’, ‘utf8’);
const options = { key: privateKey, cert: certificate};
app.get('
’, (req, res, next) => {
… app code …
});
https.createServer(options, (req, res) => {
app(req, res);
}).listen(parseInt(port));

The issue is when the v1/authorization query is generate, the concat is wrong. I got twice time oauth2:
https://domain/oauth2/*****************/oauth2/v1/authorize instead of
https://domain/oauth2/*****************/v1/authorize

Do you have any idea to fix it?
Best,thx

Based on what I’m seeing in the code for this library, it looks like it only supports the Org Authorization Server and will automatically append /oauth2/v1/authorize to the audience supplied in the configuration, with the audience set to the Okta domain per the setup instructions.

option.authorizationURL = option.audience + "/oauth2/v1/authorize";
option.tokenURL = option.audience + "/oauth2/v1/token";
option.userInfoUrl = option.audience + "/oauth2/v1/userinfo";

This means that, at least in its current state, it does not support use of a Custom Authorization Server (since its authorization server ID would be part of the request path). If you need to use a custom authorization server for your use case, you may want to reach out to the maintainer of the library (its not an official Okta library) or fork it to make these modifications or use a more generic library that allows you to configure each endpoint manually or provide the well-known endpoint so that it can fetch the correct endpoints automatically.

Thanks Andrea for this information. I will try with another lib

1 Like